1 |
Am 17.01.2012 03:22, schrieb Dale: |
2 |
> Howdy, |
3 |
> |
4 |
> It was on the news that some company got hacked into that was related to |
5 |
> Amazon. They said Amazon users should change their password just as a |
6 |
> precaution. I have a questions tho. I use some pretty good passwords |
7 |
> for the things that matter, sites such as my bank, credit card, ebay, |
8 |
> paypal, newegg and others that may store things such as my credit card |
9 |
> numbers. Here is a example but not a close match to a typical password: |
10 |
> |
11 |
> $cb78862A! |
12 |
> |
13 |
> According to those password strength websites, that is a great |
14 |
> password. Fairly long and lots of assorted characters and impossible to |
15 |
> guess since it contains no personal info such as birthdays or pets. |
16 |
> This is fairly typical for sites that matter. I may use something |
17 |
> simple for sites such as forums or something tho. |
18 |
> |
19 |
> My question. If I have a really good password and someone gets hacked, |
20 |
> should I change the password if the passwords are still safe? In other |
21 |
> words, they got some data such as email addys but the passwords and |
22 |
> credit cards are still secure. Should a person change it anyway? |
23 |
> |
24 |
> One reason I ask this. I remember my passwords well. If I go to |
25 |
> changing them every time someone gets hacked, I'll never be able to keep |
26 |
> up with them again. I use Lastpass to remember them but it could stop |
27 |
> working because of a upgrade or something. Then again, I could use its |
28 |
> autogenerate thing and just HOPE for the best on upgrades. |
29 |
> |
30 |
> Thoughts? What do you guys, and our gal, do in situations like this? |
31 |
> |
32 |
> Dale |
33 |
> |
34 |
> :-) :-) |
35 |
> |
36 |
|
37 |
Well, "it depends" is the only answer I can really give. There are |
38 |
basically 4 scenarios which might have occurred: |
39 |
|
40 |
1. Plaintext passwords were stolen. Then you should definitely change |
41 |
your pw. I doubt amazon is stupid enough to store passwords as |
42 |
plaintext, though. |
43 |
|
44 |
2. Relatively weak password hashes were stolen, for example MD5 or sha1 |
45 |
with no salt. With modern PCs, it isn't too hard to brute-force against |
46 |
such, even without rainbow-tables. Then you should change your password |
47 |
but you might get lucky and don't need to. |
48 |
|
49 |
3. Strong password hashes were used (something slow with a lot of salt, |
50 |
possibly without storing the salt so it has to be guessed as well). Then |
51 |
you don't need to change your password. |
52 |
|
53 |
4. Something else was done. For example known-plaintext or |
54 |
man-in-the-middle attacks against users. Then, well, it depends again ;) |
55 |
|
56 |
Concerning how I'd handle it: I use app-admin/keepassx with a master |
57 |
password. I'd just change the random amazon password as I've not |
58 |
memorized it. |
59 |
|
60 |
Obligatory xkcd reference: http://xkcd.com/936/ |
61 |
(I've checked the math, he is right.) |
62 |
|
63 |
Regards, |
64 |
Florian Philipp |